from the terrorism-is-just-things-we-don't-fully-comprehend dept

Jeremy Hammond -- a member of various Anonymous offshoots -- had the misfortune of being prosecuted in the United States. While his UK accomplices in the Stratfor hack were sentenced to 1-3 years, Hammond received a 10-year sentence (along with three years of supervised release) for his participation. The length of Hammond's sentence was mainly due to the CFAA (Computer Fraud and Abuse Act) being a horribly-written law (and there's a possibility it will get much worse in the future), and the FBI's willingness to toss the hacktivist under the bus for the sins of Anonymous, while glossing over the fact that it was an FBI informant (Hector Monsegur, aka Sabu) who handed out hacking targets to Hammond.

A leaked document originating from the New York State Division of Criminal Justice Services (DCJS) reveals that Hammond was considered a "possible terrorist organization member," and indicates that he was placed on the multi-agency Terrorist Screening Database (TSDB), alongside individuals suspected of ties to Al Qaeda, Somalia-based extremists al-Shabaab, and Colombia's leftist FARC guerilla movement.

Here's the pertinent information is all of its teletyped glory:

The document also includes Hammond's rap sheet, which up to that point, only includes fraud and unauthorized computer access related to the theft of credit card information from a conservative website. What it doesn't include is anything that might justify his addition to the terrorist watchlist -- unless the FBI considers protests to be a terrorist activity.

Of course, the government agencies that have the power to place US citizens on terrorist watchlists don't seem interested in providing justification for their decisions. Just having a vague sense of unease seems to be all the "evidence" any agent/official needs to declare a person a threat to this country. Nearly 40% of those currently on the government's terrorist watchlist have "no known affiliation to recognized terrorist groups."

The government has long shown it doesn't understand hacking and is no fan of activism -- generally viewing both activities as some sort of threat. So, on the watchlist Hammond went, something that presumably played a part in the prosecution's push for a decade-long sentence for the hacktivist. His actions and motives were often far from pure, but his imprisonment appears to be a result of the FBI throwing an unwitting operative onto the judicial scrapheap before moving onto its next sting operation.

from the time-served-indeed dept

Earlier this week, there were plenty of reports about how Hector Xavier Monsegur, also know as "Sabu," the leader/turned informant of the Anonymous spinoff hacking project LulzSec, was released from jail early for his "extraordinary cooperation" with the FBI. Technically, this was at his sentencing, and he was given "time served" (amounting to about 7 months in jail). Most folks have noted that the "extraordinary cooperation" involved handing over the names and information on other LulzSec members, including Jeremy Hammond, who was recently sentenced (by the same judge) to 10 years in prison.

However, that seems to leave out the other, increasingly troubling, aspect of the Sabu story -- which was that he didn't just "cooperate" with the FBI in fingering various LulzSec members, he actually gave them orders (which first came from the FBI) on who to hack, including key government computers in a variety of foreign countries. It seems likely that this was the "extraordinary cooperation" that helped Sabu secure a much shorter sentence.

Two of the other individuals that Sabu helped authorities arrest and prosecute have commented on Sabu's deal. Jake Davis highlights how Sabu was a huge "get" for the FBI, since they didn't seem to understand much about internet hacking without Sabu to lead them through everything -- and he wonders if this will lead others to rush to become informants as well. In fact, Davis points out that the whole reason for the light sentence is probably to encourage more informants -- though, it could equally be argued that it's not just to encourage more informants, but more people who can help the FBI secretly hack into targets.

Meanwhile, another LulzSec member, Ryan Ackroyd, who was recently released after serving 9 months of a 30-month sentence, pointed out that while the sentence is unsurprising, it's somewhat ridiculous given Sabu was in many ways "the worst" of the bunch:

"Sabu was the worst one out of us all, he should have been given the largest sentence. He was the one stealing from people's bank accounts, credit cards and PayPal so that he could pay his bills and buy new things. Sabu talked people into hacking things for him and when he got caught he decided to snitch on these people, for something he asked them to do, in order to save himself."

Either way, no matter what you think of the situation and Sabu, it seems worth remembering that he didn't just help find other LulzSec members, he got them to hack specific FBI targets.

from the doj-pile-on dept

In yet another Computer Fraud and Abuse Act case, in which the DOJ piled on charge after charge after charge until the person they were pressuring accepted a plea bargain, Jeremy Hammond has officially accepted a plea deal for helping LulzSec/Anonymous hack Stratfor. He admits that he did it, and given that, it's perfectly reasonable to suggest that some punishment is warranted, but it still seems troubling the amount of pressure that the DOJ used to get him to take a plea bargain. We've talked about this for years: very few cases go to trial, because the DOJ pulls out everything possible to pressure you to take a plea:

There were numerous problems with the government's case, including the credibility of FBI informant Hector Monsegur. However, because prosecutors stacked the charges with inflated damages figures, I was looking at a sentencing guideline range of over 30 years if I lost at trial. I have wonderful lawyers and an amazing community of people on the outside who support me. None of that changes the fact that I was likely to lose at trial. But, even if I was found not guilty at trial, the government claimed that there were eight other outstanding indictments against me from jurisdictions scattered throughout the country. If I had won this trial I would likely have been shipped across the country to face new but similar charges in a different district. The process might have repeated indefinitely. Ultimately I decided that the most practical route was to accept this plea with a maximum of a ten year sentence and immunity from prosecution in every federal court.

It's worth noting that others involved in the same case have been sentenced to much lower sentences in the UK, so it will be interesting to see what the final sentencing yields.

Hammond insists that he still stands by what he did:

Now that I have pleaded guilty it is a relief to be able to say that I did work with Anonymous to hack Stratfor, among other websites. Those others included military and police equipment suppliers, private intelligence and information security firms, and law enforcement agencies. I did this because I believe people have a right to know what governments and corporations are doing behind closed doors. I did what I believe is right.

As I've said before, while I understand why people think this is reasonable strategy, such hacks almost always lead to more backlash than forward momentum. Yes, governments and companies are doing questionable things behind closed doors, but hacking into them to "prove" that takes away much of the value of finding out that information, and only increases the power of the government to create and use laws like the CFAA broadly to stifle perfectly legitimate uses of computers.

from the top-down-approach-to-a-bottom-up-threat dept

Interesting timing. Just about the same time that we had our story concerning how LulzSec kept its own site from getting hacked, the news was breaking that the key leaders of LulzSec were being arrested, in large part because the "leader" of the group had become an FBI informant after they tracked him down last year. Of the various hacking efforts out there, LulzSec has definitely been the most brazen, so it's not a huge surprise that it would be targeted by the FBI. Also, unlike "Anonymous," LulzSec was pretty clearly an effort by a few key individuals, rather than a loose collective of folks joining and leaving at will.

As I've been saying since these various groups started their various hacking and vandalism campaigns, I think these efforts are a really bad idea, and don't do much to further the supposed causes that they're trying to support. They're only going to lead to backlash, as we're already seeing in government officials using these groups as an excuse to try to make a power grab over the wider internet.

Given that, as I've said in the past, I haven't been surprised to see the various arrests of folks supposedly associated with Anonymous or LulzSec. I expect that we'll continue to hear such stories -- in part because these kinds of stories are likely to provoke more of the same type of activity. Law enforcement keeps claiming that these arrests will frighten off others, but that shows a typical lack of understanding of what's going on. As counterproductive as these activities are, it's pretty clear that this isn't about criminal activity for the sake of criminal activity, but about dissatisfaction with what's going on in the world -- and, as such, the arrests are actually only likely to create more such activity, which is the exact opposite of what law enforcement should be seeking to do.

Not understanding who they're dealing with, and taking a top down approach to a bottom up threat, seems to be a specialty of US law enforcement.

Again, I think that the actual efforts by these folks are incredibly counterproductive and set up this "battle-siege" mentality, when the folks involved in all of this could be much more strategic in using their skills for good, rather than destruction. But that doesn't mean that we should ignore the reality of why it's happening, or how it's likely to continue to evolve. More groups will pop up, more hacks will happen and (I'm sure) more disaffected skilled computer hackers will be arrested. But none of that (either the hacking or the arrests) is likely to bring us any closer to actually dealing with the problems that created this mentality in the first place.

from the now-wouldn't-that-be-funny dept

Police in the UK recently reported that they had arrested a hacker who goes by the name Topiary, and often acts as the spokesperson for LulzSec. There's just one problem. A number of the people who follow LulzSec closely (and who have attempted to expose who they really are) note that much of the evidence they have suggests that Topiary is someone entirely different, and that the real Topiary purposely copied his "identity" from a "troll." They're suggesting that the police caught the "troll" instead of the real Topiary. At this point, who knows what's the actual situation, but it wouldn't surprise me if the folks involved in LulzSec were slightly better at covering their tracks (or using misdirection) than the police were at tracking them...

from the for-the-lulz dept

Things just keep getting more ridiculous with the reaction of governments to things like Anonymous and LulzSec. The latest is that Simon Moores, a UK government "advisor" on online crime issues, is warning that the KGB might "infiltrate" LulzSec:

“If you have a LulzSec or an Anonymous that is perhaps being manipulated by a foreign actor, it takes us back to the days of the Stasi and the KGB, which were manipulating [anti-nulear campaign group] CND quite easily from Moscow,” he said, referring to reports that the anti-nuclear peace movement was unwittingly compromised and manipulated by Kremlin machinations.

According to Moores, mustering popular support for an issue through online hacktivist groups and forums could be used as a tool to drive policy to perform actions that furthered a country's interests.

This is based on... what? It appears absolutely nothing. It appears to be pure conjecture of what could happen, even though it's extremely unlikely. While it could be argued that some members of these groups can be influenced and pushed in certain directions, it goes pretty far to then assume that leads to an effective infiltration and use by foreign powers.

from the unreasonable-search-and... dept

Last week's big LulzSec (pre-disbandment) dump of Arizona police info apparently included some documents telling police to search the iPhones of arrestees for specific apps, including OpenWatch, a simple app for recording people (targeted at authorities) without it displaying on the phone that they're being recorded. The police were also told to look for speed trap identifying apps and an app that lets people spoof caller ID numbers. As we've discussed a few times, there are some legal questions about whether or not cops can just search your iPhone during, say, a routine traffic stop, but tragically a few courts have said it's fine. That seems rather troubling, as the cops can search your phone after just a routine traffic stop... and then potentially get you in more trouble just because they don't like the types of apps you have?

Separately, the article notes that the Justice Department has been sending around notices to local law enforcement, telling them to be aware that iPhone users have a feature that lets them remotely wipe their phones. This is part of the mobile me service, and the wiping has a perfectly legitimate purpose: to let someone who has lost their phone or had it stolen, to wipe the data from the phone. It's pretty useful, really. But, to police who are seizing phones and want to search them later, they're scared that evidence can be destroyed this way, so the Justice Department is telling them to store the phone in Faraday bags to keep them disconnected from any network, so they can't receive the "wipe" signal.

from the having-an-impact dept

Well, this is getting interesting. While I still don't approve of the tactics of vigilante hacker groups, it's hard to deny that they're having some impact. After reports came out that Autralian telco giant Telstra was going to start censoring the internet by blocking a bunch of sites the government says are evil, the company has now indicated that it's wavering on its support of the plan, in large part due to fear of hacker reprisal attacks. In the stilted English of The Australian:

It is understood Telstra was last night still grappling with the decision as to whether to commit to the voluntary filter because of fears of reprisals from the internet vigilantes behind a spate of recent cyber attacks.

It is understood the unstructured collective of hackers that identifies itself as Lulz Security, which has an agenda to wreak havoc on corporate and government cyber assets, claiming this is to expose security flaws, is one of Telstra main concerns.

While I don't think the filters are a good idea, and am surprised and impressed by the "effectiveness" of LulzSec's efforts in getting Telstra to be aware that people don't like these filters and that there could be consequences, I do still wonder if this is really the best way to go about these things. Lots of folks will cheer this on because they agree with the end result (no censorship), but what if LulzSec (or a similar group, now that LulzSec says it's going away) makes a unilateral decision on something you disagree with? One of the problems of the censorship plan in Australia is that there's no oversight, and no way to appeal. But isn't that the same thing with those targeted by hactivists? Even if we agree with their general outlook, there's still a very real risk of collateral damage in a different way.

Of course, it's not just Telstra rethinking its position on censoring the internet. Apparently some of the other ISPs who had agreed to take part in this "voluntary" censorship are suddenly saying that it's not definite yet as to whether they'll take part. It sounds like many of these ISPs hoped they could just start censoring the internet without anyone noticing.

from the don't-be-misled dept

Lots of news over the weekend concerning the surprise announcement that LulzSec -- the group of "hactivists-for-the-lulz" who were able to generate so much attention -- had announced plans to disband just a day or so after promising many more hacks. The speculation, of course, was that they realized that law enforcement might be closing in on some of them. The group, not surprisingly, denies all this and insists it always planned to call it quits about now anyway. I doubt this is true, but I don't think it really matters. I think the thing that people are underestimating is that LulzSec wasn't so much an "organization," as it was a group who got together in an ad hoc manner and decided to go on this hacking rampage. The point is that pretty much any group of decently skilled hackers could decide to do the same thing. Hell, the same group could decide to do the same thing under a different name. Between LulzSec, Anonymous and others, people are beginning to recognize that they can have a pretty big impact with some pretty straightforward hacks. That realization isn't going to go away any time soon.

from the making-omelets dept

As a bunch of folks have been sending in, the FBI raided a data center in Reston Virginia, seizing a bunch of servers and taking a bunch of sites offline (including some big names). This isn't -- as some suggested -- quite the same thing as the infamous ICE domain seizures. This sort of thing does happen from time to time, when law enforcement is seeking actual information on a server which is part of a larger criminal investigation. That said, it always amazes me how much collateral damage law enforcement does in these situations, when it seems like they could definitely be a lot more targeted. Even worse, the reports claim that the FBI is actually trying to chase down the loose hacker collective LulzSec, which seems like a waste of time. Frankly it seems like the FBI must have something more important to work on. That said, it does seem somewhat ironic that in trying to track down a group that has been taking down (somewhat random) websites, the FBI has also taken down a bunch of websites, including the popular blog network Curbed, and parts of the super popular utility Instapaper.